PDA

View Full Version : Miscellaneous Hacks - Disallow HTML code in Thread Titles


steadicamop
03 Sep 2006, 22:04
Disallow HTML code in Thread Titles v1.01

Staff Note:
Unmodified vBulletin will not evaluate HTML in thread titles. Using this modification without a hack installed that has security vulnerabilities is useless.

Also installing this modification, even with a modification installed that would make your board vulnerable to this type of HTML posting in thread titles, only will give you a false sense of security since there are many other options to exploit this, even without the use of the ">" character.

Everyone is encouraged to remove or update the vulnerable modification instead of using this hack.

Marco van Herwaarden.


By Jason Williams/Andrew Calderbank
03/09/2006

Recently there has been a spate of members posting html redirection code in thread titles, which when parsed on the forum homepage runs and redirects to whatever site they insert into the title.

This code simply disallows the characters < and > from being used in the thread titles, this is also is checked when editing the post.

It's fairly simple but puts to and end members signing up and posting redirect links. I don't know whether you'd class this as a hack or bug fix, but I hope this helps other members who are frustrated with this issue.

2 file edits
1 new phrase

Should be fairly straightforward to install.

**ALWAYS BACK UP FILES BEFORE YOU EDIT THEM!!**

v1.00

Original release

v1.01

Slight code update

steadicamop
03 Sep 2006, 22:05
Reserved for updates

Puck 24/7
03 Sep 2006, 22:15
Good idea, steadicamop.

edit: there seems to be a problem in: /includes/functions_newpost.php find:

error:
Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /includes/functions_newpost.php on line 379

steadicamop
03 Sep 2006, 23:01
Good idea, steadicamop.

edit: there seems to be a problem in: /includes/functions_newpost.php find:

error:
Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /includes/functions_newpost.php on line 379

Ok, replace the code for this:

elseif (preg_match('/<|>/',$vbulletin->GPC['title']))
eval(standard_error(fetch_error('nohtml')));

That should solve it.

Paul M
03 Sep 2006, 23:04
Both those files have hooks, can these changes not be done via plugins ?

steadicamop
03 Sep 2006, 23:07
I'll look into remaking it as a plugin - I've never dealt with creating plugins before so it's something I will have to my research on.

Snake
03 Sep 2006, 23:08
Thanks for this! :)

Paul M
03 Sep 2006, 23:09
Okay, just asking.

I think far more people are likely to make use of it if no file edits are involved. :)

steadicamop
03 Sep 2006, 23:10
Okay, just asking.

I think far more people are likely to make use of it if no file edits are involved. :)

Something I'm going to try and do right now :D

DementedMindz
04 Sep 2006, 00:58
so even if you dont allow html they can still post html in thread titles? if thats the case it seems strange that vbulletin wouldnt patch that. as you could just do this all day long with a google search finding vbulletin sites. would suck to have to use a plugin, hack, php file edit what ever to stop it and secure your site.

Nuguru
04 Sep 2006, 01:11
Hello,

I was wondering if this security issue applies to 3.5.4 and will this fix work with 3.5.4? Or how to I get the same result making code changes with 3.5.4. Advice would be appreciated.



Thank You,

Nuguru :)

eclectica
04 Sep 2006, 02:59
Isn't this a vBulletin bug you are fixing?

chimaira
04 Sep 2006, 13:27
Ok, replace the code for this:

elseif (preg_match('/<|>/',$vbulletin->GPC['title']))
eval(standard_error(fetch_error('nohtml')));

That should solve it.
replace what code with that exactly ?

if (preg_match('/<|>/',$post['title']))
$errors[] = fetch_error('nohtml');

^^ that?

xman_79
04 Sep 2006, 14:57
The ideea is very good , but i have a problem.

I wrote in the title a HTMl code and it worked (the html code) . I wrote the second time and the message :Could not find phrase 'nohtml' appeared.


Please tell me how can I solve the problem .

Thanks .

steadicamop
04 Sep 2006, 15:54
you need to add the phrase in the text file, its the last step in the instructions:

In the AdminCP -> Language & Phrases -> Phrase Manager -> Add New Phrase

Phrase Type : Front-End Error Messages
Product : VBulletin
Varname : nohtml
Text : Sorry, you are not allowed to post HTML in Thread titles, please go back and change it.

HTH

apdcanari
04 Sep 2006, 17:11
Vb 3.5.4 ? Please :rolleyes:

redlabour
04 Sep 2006, 18:37
Thx ... these Guys tried it at my Project ! ;)

steadicamop
04 Sep 2006, 20:46
Vb 3.5.4 ? Please :rolleyes:

Have you tried searching for the code in the 3.5.4 files (I'm not totally sure whether postings.php exists in that version), it's something I could look into for that version too.

steadicamop
04 Sep 2006, 20:52
replace what code with that exactly ?

if (preg_match('/<|>/',$post['title']))
$errors[] = fetch_error('nohtml');

^^ that?

Only replace the code with that if you installed v1.00 - which I think didn't last too long before the update, the new file has the correct code in.

smoothfuego
05 Sep 2006, 06:14
Have you tried searching for the code in the 3.5.4 files (I'm not totally sure whether postings.php exists in that version), it's something I could look into for that version too.

it does exist but the coding for the includes/functions_newpost.php (or something like that) is different so it can't work with 3.5.4 :cry: if you could do one for 3.5.4 it would be greatly appreciated as someone is constantly doing it to my forum.

Nuguru
05 Sep 2006, 06:24
Hello,

I was wondering if this security issue applies to 3.5.4 and will this fix work with 3.5.4? Or how to I get the same result making code changes with 3.5.4. Advice would be appreciated.



Thank You,

Nuguru :)

Hello,

I was wondering if this fix works for vb 3.5.4? If not, is there a way it could?


Thank You,

Nuguru :)

xman_79
05 Sep 2006, 14:06
I did that what you said , but nothing changed .

filmking
05 Sep 2006, 18:26
Not working at all for me

captainslater
05 Sep 2006, 18:29
You can add this HTML-stuff do your bad word list, this works fine at my board.

karlm
05 Sep 2006, 18:52
For those working in vb3.5.4, try this quick fix I found here (http://www.vbulletin.com/forum/showthread.php?p=1204007#post1204007).

Go into you AdminCP and under vB Options choose Censorship Options.

In the Censored Words window add this.

{meta} >>>> {http-equiv} "Refresh" """"That will put an end this nonsense.

bashy
05 Sep 2006, 19:03
Great idea lol :)

You can add this HTML-stuff do your bad word list, this works fine at my board.

TAL_NEW
05 Sep 2006, 20:26
Good work ;)

tuanvic
06 Sep 2006, 14:06
hi i can't found in my Admin Cp this Phrase Type : Front-End Error Messages. can any one help me i using vbb 3.6

Scott MacVicar
06 Sep 2006, 14:11
vBulletin does not allow HTML code in thread titles, the problem is the TopXStats modification which does absolutely no checking before storing / displaying data.

I'm thinking this thread should be closed since its going to cause a misconception that its a vBulletin problem, the much easier solution is to fix your TopXStats modification.

It also doesn't fix the cases where you can use things other than >, what about injecting a new parameter.

" onmouseover="window.location='www.hax0r.com'"

That should work as a title as well.

Marco van Herwaarden
06 Sep 2006, 14:32
Staff Note:
Unmodified vBulletin will not evaluate HTML in thread titles. Using this modification without a hack installed that has security vulnerabilities is useless.

Also installing this modification, even with a modification installed that would make your board vulnerable to this type of HTML posting in thread titles, only will give you a false sense of security since there are many other options to exploit this, even without the use of the ">" character.

Everyone is encouraged to remove or update the vulnerable modification instead of using this hack.

DementedMindz
06 Sep 2006, 14:41
vBulletin does not allow HTML code in thread titles, the problem is the TopXStats modification which does absolutely no checking before storing / displaying data.

I'm thinking this thread should be closed since its going to cause a misconception that its a vBulletin problem, the much easier solution is to fix your TopXStats modification.

It also doesn't fix the cases where you can use things other than >, what about injecting a new parameter.

" onmouseover="window.location='www.hax0r.com'"

That should work as a title as well.

so your saying TopXStats still needs to be fixed? or the new version fixed the problem? sorry for posting this in this thread but I figured you wouldnt see it in that one.

Marco van Herwaarden
06 Sep 2006, 15:14
The new version of TopXStats should solve all known exploits in that modification.

DementedMindz
06 Sep 2006, 19:47
thanks Marco and thanks for the response.

steadicamop
07 Sep 2006, 22:51
Staff Note:
Unmodified vBulletin will not evaluate HTML in thread titles. Using this modification without a hack installed that has security vulnerabilities is useless.

Also installing this modification, even with a modification installed that would make your board vulnerable to this type of HTML posting in thread titles, only will give you a false sense of security since there are many other options to exploit this, even without the use of the ">" character.

Everyone is encouraged to remove or update the vulnerable modification instead of using this hack.

If this is causing issues, please delete it, I'd rather not cause confusion or issues for other members.

Jason